# syntax=docker.io/docker/dockerfile:1.20
FROM ghcr.io/dependabot/dependabot-updater-core
ARG TARGETARCH

# OS dependencies
RUN apt-get update \
  && apt-get install -y --no-install-recommends \
    make \
    ca-certificates \
    gnupg \
    build-essential \
    curl \
  && mkdir -p /etc/apt/keyrings \
  && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
  && NODE_MAJOR=18 \
  && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list

RUN apt-get update -y \
  && apt-get install -y nodejs \
  && rm -rf /var/lib/apt/lists/*

RUN npm install -g @devcontainers/cli

USER dependabot

# Needed because tools like dependabot/cli will proxy/MITM the traffic
# to the registry with a cert that (without this change) is not known
# to the dev container process. See:
# * https://github.com/microsoft/vscode-remote-release/issues/6092
# * https://github.com/devcontainers/cli/blob/2d24543380dfc4d54e76b582536b52226af133c8/src/spec-utils/httpRequest.ts#L130-L162
# * https://github.com/devcontainers/cli/pull/559
ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt

# Sanity check
RUN devcontainer --version

COPY --chown=dependabot:dependabot --parents devcontainers common $DEPENDABOT_HOME/
COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updater
